| Author | Messages | |
gabriel/tfi
Posts:192
 | | 11/03/2007 8:55 AM |
| Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| deji
Posts:150
| | 11/03/2007 9:32 AM |
| You didn't mention which doc said you'd get in trouble for having multiple GCs in one site. What "bad thing" does the doc say will to you?
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro [gabro@gabro.net]
Sent: Saturday, November 03, 2007 5:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| h2bear@msn.com
Posts:51
| | 11/03/2007 9:59 AM |
| You can get around that recommendation as long as all DCs are GCs.
Hugh
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, November 03, 2007 5:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:415
| | 11/04/2007 2:12 AM |
| Right so the OP has two options here and given I have no real knowledge of Gabriele's environment I can't advocate one or the other.
Option 1 is to just make every DC a GC and be done with it. Depending on the speed, saturation, and utilization costs of WAN links and size of databases for the various domains this might be a perfectly sensible and simple solution
Option 2 is to have at least one DC per domain which is not a GC and will also host the IM
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Hugh
Sent: Sunday, November 04, 2007 11:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
Hi Gabrielle
But do you understand what the concern is? The concern from MS is in
a multi-domain forest to not have your infrastructure master be a GC unless
all your DCs are GCs. The risk you run into is the phantom objects from the
other domain interfering with the function of the infrastructure master. So
if you have a multi-domain forest you want to keep track of your operations
master roles and where you would transfer or seize them to. That way you
would never transfer your infrastructure master to a GC when not all your
DCs are GCs. I was hoping you would learn that more than just a yes you can
have multiple GCs answer. Brian is a great contributor to this forum and has
demonstrated his knowledge in AD numerous times, so I would trust his
answers. I hope you continue to strive to get a deeper understanding of how
AD works and why.
Hugh
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Sunday, November 04, 2007 7:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
Thanks Brian, this is exactly the answer I would have expected to hear!
Regards,
Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: domenica 4 novembre 2007 5.50
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> I'm not sure where you read this...I have multiple customers with
> dozens of GCs per site. Consider an Exchange dedicated site - a big
> Exchange install here would likely necessitate a good number of GCs to
> function correctly.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Saturday, November 03, 2007 8:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| sakarikouti
Posts:0
| | 11/04/2007 2:58 AM |
| Hi Gabriele,
Here is one suggestion for your setup. It may or may not be appropriate
for you:
ROOT DOMAIN
I assume there are four DCs, two in EU HUB and two in US HUB. Make all
four also GCs and you don't need to worry about the infrastructure
master with this domain.
US CHILD DOMAIN
I assume that your two child domains are US and EU, although I could be
wrong.
If you don't go with Brian's option 1 and make all your DCs as GCs (if
WAN permits), you need one non-GC to hold the IM role (as you know).
This is best to have in the hub site of the corresponding continent. So:
- DC1, US-dom, US-hub site: infrastructure master, non-GC
- DC2, US-dom, US-hub site: GC
- DC3, US-dom, EU-hub site: GC
- DC4, US-dom, EU-hub site: GC
EU CHILD DOMAIN
This would be like the US child domain, but vice versa for EU.
----
So, five out of the six DCs on each hub site would be GCs. This should
not add any inter-site replication compared to the previous one-GC
scenario, because all additional replication is intra-site. And this is
even more true, because all your forest content already lives on both
hub sites.
If some of the GC-wannabes are too underpowered to hold the new larger
AD database, then you obviously would not promote them, and get less
that five GCs per hub site.
Yours, Sakari
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
Scolaro
Sent: 4. marraskuuta 2007 2:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server
room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local
domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites
to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC
temporarly
not available
As the GC is queried for authenticating users (Universal Group
membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course
following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading
some
docs around, it is said that only a GC should be runned in a single
site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| deji
Posts:150
| | 11/04/2007 4:43 AM |
| Nothing in that article says you will get in trouble if you have more than one GC in a site.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Hugh [h2bear@msn.com]
Sent: Saturday, November 03, 2007 10:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
Hi All
From this link http://support.microsoft.com/kb/223346
As a general rule, the infrastructure master should be located on a
nonglobal catalog server that has a direct connection object to some global
catalog in the forest, preferably in the same Active Directory site. Because
the global catalog server holds a partial replica of every object in the
forest, the infrastructure master, if placed on a global catalog server,
will never update anything, because it does not contain any references to
objects that it does not hold. Two exceptions to the "do not place the
infrastructure master on a global catalog server" rule are: . Single domain
forest:
In a forest that contains a single Active Directory domain, there are no
phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the domain,
regardless of whether that domain controller hosts the global catalog or
not.
Multidomain forest where every domain controller in a domain holds the
global catalog:
If every domain controller in a domain that is part of a multidomain forest
also hosts the global catalog, there are no phantoms or work for the
infrastructure master to do. The infrastructure master may be put on any
domain controller in that domain.
Hugh
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Saturday, November 03, 2007 9:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
I'm not sure where you read this...I have multiple customers with dozens of
GCs per site. Consider an Exchange dedicated site - a big Exchange install
here would likely necessitate a good number of GCs to function correctly.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, November 03, 2007 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| gabriel/tfi
Posts:192
| | 11/04/2007 9:58 AM |
| You're right. My statement was not accurate. To be honest it is something I
recall I've read somewhere, but I am not sure it was just a
BestPractice/Reccomendation (such as "put AT LEAST a GC in a site") or a
mandatory rule ("do not put MORE THAN one GC in a site").
I am uncertain, that's why I posted the problem to this list.
My idea is multiple GCs would not be a problem in a site, but before make a
change in production I would like to listen to experts' advise.
Thanks,
Gabriele
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of deji@readymaids.com
> Sent: domenica 4 novembre 2007 2.33
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> You didn't mention which doc said you'd get in trouble for having
> multiple GCs in one site. What "bad thing" does the doc say will to
> you?
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> Microsoft MVP - Directory Services
> www.akomolafe.com - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________________
> From: ActiveDir-owner@mail.activedir.org [ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> [gabro@gabro.net]
> Sent: Saturday, November 03, 2007 5:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| gabriel/tfi
Posts:192
| | 11/04/2007 9:59 AM |
| Yes, this is the link I posted in my orginal message. It deals with FSMO
placement, nothing specifically related two multiple GCs in a site.
Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Hugh
> Sent: domenica 4 novembre 2007 6.26
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi All
> From this link http://support.microsoft.com/kb/223346
>
>
> As a general rule, the infrastructure master should be located on a
> nonglobal catalog server that has a direct connection object to some
> global
> catalog in the forest, preferably in the same Active Directory site.
> Because
> the global catalog server holds a partial replica of every object in
> the
> forest, the infrastructure master, if placed on a global catalog
> server,
> will never update anything, because it does not contain any references
> to
> objects that it does not hold. Two exceptions to the "do not place the
> infrastructure master on a global catalog server" rule are: . Single
> domain
> forest:
>
> In a forest that contains a single Active Directory domain, there are
> no
> phantoms, and so the infrastructure master has no work to do. The
> infrastructure master may be placed on any domain controller in the
> domain,
> regardless of whether that domain controller hosts the global catalog
> or
> not.
> Multidomain forest where every domain controller in a domain holds the
> global catalog:
>
> If every domain controller in a domain that is part of a multidomain
> forest
> also hosts the global catalog, there are no phantoms or work for the
> infrastructure master to do. The infrastructure master may be put on
> any
> domain controller in that domain.
>
> Hugh
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Saturday, November 03, 2007 9:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> I'm not sure where you read this...I have multiple customers with
> dozens of
> GCs per site. Consider an Exchange dedicated site - a big Exchange
> install
> here would likely necessitate a good number of GCs to function
> correctly.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> Sent: Saturday, November 03, 2007 8:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| gabriel/tfi
Posts:192
| | 11/04/2007 10:02 AM |
| Thanks Brian, this is exactly the answer I would have expected to hear!
Regards,
Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: domenica 4 novembre 2007 5.50
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> I'm not sure where you read this...I have multiple customers with
> dozens of GCs per site. Consider an Exchange dedicated site - a big
> Exchange install here would likely necessitate a good number of GCs to
> function correctly.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Saturday, November 03, 2007 8:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:494
| | 11/04/2007 11:47 AM |
| There is no guidance that says you can only have a single GC in a site. In
fact, generally the more GCs you can have in any single location, the
better. If you can get away with making every DC in your forest into a GC
from a bandwidth and hardware standpoint, go for it.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, November 03, 2007 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| h2bear@msn.com
Posts:51
| | 11/04/2007 11:57 AM |
| Hi Gabrielle
But do you understand what the concern is? The concern from MS is in
a multi-domain forest to not have your infrastructure master be a GC unless
all your DCs are GCs. The risk you run into is the phantom objects from the
other domain interfering with the function of the infrastructure master. So
if you have a multi-domain forest you want to keep track of your operations
master roles and where you would transfer or seize them to. That way you
would never transfer your infrastructure master to a GC when not all your
DCs are GCs. I was hoping you would learn that more than just a yes you can
have multiple GCs answer. Brian is a great contributor to this forum and has
demonstrated his knowledge in AD numerous times, so I would trust his
answers. I hope you continue to strive to get a deeper understanding of how
AD works and why.
Hugh
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Sunday, November 04, 2007 7:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
Thanks Brian, this is exactly the answer I would have expected to hear!
Regards,
Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: domenica 4 novembre 2007 5.50
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> I'm not sure where you read this...I have multiple customers with
> dozens of GCs per site. Consider an Exchange dedicated site - a big
> Exchange install here would likely necessitate a good number of GCs to
> function correctly.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Saturday, November 03, 2007 8:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| h2bear@msn.com
Posts:51
| | 11/04/2007 12:26 PM |
| Hi All
From this link http://support.microsoft.com/kb/223346
As a general rule, the infrastructure master should be located on a
nonglobal catalog server that has a direct connection object to some global
catalog in the forest, preferably in the same Active Directory site. Because
the global catalog server holds a partial replica of every object in the
forest, the infrastructure master, if placed on a global catalog server,
will never update anything, because it does not contain any references to
objects that it does not hold. Two exceptions to the "do not place the
infrastructure master on a global catalog server" rule are: . Single domain
forest:
In a forest that contains a single Active Directory domain, there are no
phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the domain,
regardless of whether that domain controller hosts the global catalog or
not.
Multidomain forest where every domain controller in a domain holds the
global catalog:
If every domain controller in a domain that is part of a multidomain forest
also hosts the global catalog, there are no phantoms or work for the
infrastructure master to do. The infrastructure master may be put on any
domain controller in that domain.
Hugh
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Saturday, November 03, 2007 9:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
I'm not sure where you read this...I have multiple customers with dozens of
GCs per site. Consider an Exchange dedicated site - a big Exchange install
here would likely necessitate a good number of GCs to function correctly.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, November 03, 2007 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:415
| | 11/04/2007 12:50 PM |
| I'm not sure where you read this...I have multiple customers with dozens of GCs per site. Consider an Exchange dedicated site - a big Exchange install here would likely necessitate a good number of GCs to function correctly.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, November 03, 2007 8:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 GCs in a site... a problem?
Hi,
We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
Remote Sites that have more than 50 users and a properly secured server room
have a local DC which is assigned with GC role, too.
Then we have several small branch offices that do not have a local domain
controller, so they authenticate over the WAN to the HUB site.
Any site has connectivity to the HUB site within its continent (US sites to
US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over the
ocean).
At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
provide:
- authentication to small remote DC-less sites
- backup-authentication to big remote sites that have a local DC temporarly
not available
As the GC is queried for authenticating users (Universal Group membership),
because of what stated above, it becomes critical a GC being always
available at each hub site.
So my idea is to have at least two GCs at each HUB site (of course following
these rules: http://support.microsoft.com/kb/223346/en-us), but reading some
docs around, it is said that only a GC should be runned in a single site.
Do you think I will get troubles putting 2 GCs in single site (HUB)?
Thanks in advance.
Regards,
Gabriele
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| gabriel/tfi
Posts:192
| | 11/04/2007 12:55 PM |
| Hugh, thanks for your reccomendation, but in my original post I stated "to
have at least two GCs at each HUB site (of course following these rules:
http://support.microsoft.com/kb/223346/en-us)", so I was already aware of
implications of placing FSMO and GCs, that is what you are well reccomending
re. IM.
My question was besides that, if multiple GCs in a site can brings problems
and Brian reported a good example of multiple GCs that support an Exchange
infrastructure in a site.
I started posting in this great list because I greatly value answers from
experts who have a deep knowledge of AD and already experienced most of
AD-related issues. What they're doing, sharing their knowledge, is
fantastic.
This is a way for me to get a deeper understanding of how AD works and why.
Regards,
Gabriele
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Hugh
> Sent: domenica 4 novembre 2007 17.58
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi Gabrielle
> But do you understand what the concern is? The concern from MS is
> in
> a multi-domain forest to not have your infrastructure master be a GC
> unless
> all your DCs are GCs. The risk you run into is the phantom objects from
> the
> other domain interfering with the function of the infrastructure
> master. So
> if you have a multi-domain forest you want to keep track of your
> operations
> master roles and where you would transfer or seize them to. That way
> you
> would never transfer your infrastructure master to a GC when not all
> your
> DCs are GCs. I was hoping you would learn that more than just a yes you
> can
> have multiple GCs answer. Brian is a great contributor to this forum
> and has
> demonstrated his knowledge in AD numerous times, so I would trust his
> answers. I hope you continue to strive to get a deeper understanding of
> how
> AD works and why.
> Hugh
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> Sent: Sunday, November 04, 2007 7:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> Thanks Brian, this is exactly the answer I would have expected to hear!
>
> Regards,
> Gabriele.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Brian Desmond
> > Sent: domenica 4 novembre 2007 5.50
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
> >
> > I'm not sure where you read this...I have multiple customers with
> > dozens of GCs per site. Consider an Exchange dedicated site - a big
> > Exchange install here would likely necessitate a good number of GCs
> to
> > function correctly.
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c - 312.731.3132
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> > Sent: Saturday, November 03, 2007 8:55 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] 2 GCs in a site... a problem?
> >
> > Hi,
> >
> > We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
> >
> > Remote Sites that have more than 50 users and a properly secured
> server
> > room
> > have a local DC which is assigned with GC role, too.
> >
> > Then we have several small branch offices that do not have a local
> > domain
> > controller, so they authenticate over the WAN to the HUB site.
> >
> > Any site has connectivity to the HUB site within its continent (US
> > sites to
> > US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> > the
> > ocean).
> >
> > At each HUB site we have 2 DCs for each domain (1 root + 2 childs)
> that
> > provide:
> > - authentication to small remote DC-less sites
> > - backup-authentication to big remote sites that have a local DC
> > temporarly
> > not available
> >
> > As the GC is queried for authenticating users (Universal Group
> > membership),
> > because of what stated above, it becomes critical a GC being always
> > available at each hub site.
> >
> > So my idea is to have at least two GCs at each HUB site (of course
> > following
> > these rules: http://support.microsoft.com/kb/223346/en-us), but
> reading
> > some
> > docs around, it is said that only a GC should be runned in a single
> > site.
> >
> > Do you think I will get troubles putting 2 GCs in single site (HUB)?
> >
> > Thanks in advance.
> >
> > Regards,
> > Gabriele
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| gabriel/tfi
Posts:192
| | 11/09/2007 9:31 AM |
| Hi Sakari,
You've perfectly pictured my current DCs config in the HUB sites.
After I've read Joe's, Brian's and your post, I wonder... what's the benefit
of having the IM on a non-GC (OPT2) instead of having all DCs as GCs (OPT1)?
(assuming of course bandwidth and hardware support allDCs=allGCs).
The only answer it comes to my mind is a "set&forget" configuration at the
HUB site that is seldom changed, rather than worrying about future DCs at
remote sites being always assigned the GC role (e.g. human carelessness: an
admin might forget to check the GC option!)
I've also noticed that a SpokeDC/GC at remote site needs 2 connection
objects if it replicates from a non-GC-DC at the hub site. So with OPT1 (Any
DC is a GC) the ADSites&Services layout would be even cleaner (1 connection
object only per remote DC), thus clearer when you need to troubleshoot
replication topology.
I would like to hear your opinion.
Regards.
Gabriele
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Sakari Kouti
> Sent: domenica 4 novembre 2007 20.58
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi Gabriele,
>
> Here is one suggestion for your setup. It may or may not be appropriate
> for you:
>
> ROOT DOMAIN
>
> I assume there are four DCs, two in EU HUB and two in US HUB. Make all
> four also GCs and you don't need to worry about the infrastructure
> master with this domain.
>
>
> US CHILD DOMAIN
>
> I assume that your two child domains are US and EU, although I could be
> wrong.
>
> If you don't go with Brian's option 1 and make all your DCs as GCs (if
> WAN permits), you need one non-GC to hold the IM role (as you know).
> This is best to have in the hub site of the corresponding continent.
> So:
> - DC1, US-dom, US-hub site: infrastructure master, non-GC
> - DC2, US-dom, US-hub site: GC
> - DC3, US-dom, EU-hub site: GC
> - DC4, US-dom, EU-hub site: GC
>
>
> EU CHILD DOMAIN
>
> This would be like the US child domain, but vice versa for EU.
>
> ----
>
> So, five out of the six DCs on each hub site would be GCs. This should
> not add any inter-site replication compared to the previous one-GC
> scenario, because all additional replication is intra-site. And this is
> even more true, because all your forest content already lives on both
> hub sites.
>
> If some of the GC-wannabes are too underpowered to hold the new larger
> AD database, then you obviously would not promote them, and get less
> that five GCs per hub site.
>
> Yours, Sakari
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> Sent: 4. marraskuuta 2007 2:55
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites
> to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:415
| | 11/09/2007 9:44 AM |
| If your configuration can support all DCs=GCs than by all means go for it.
The issue comes into play with highly distributed organizations where the WAN can't support it. Take your typical manufacturing outfit - they have plants wherever the labor and materials is cheap. Do the math and you'll realize that's wherever WAN links are either a) incredibly expensive or b) not capable of being fast enough. If said outfit has let's say 100,000 people working for them, their GC DIT could easily be 10-15GB depending on how they use AD. So now your choices are either a) replicate a 2GB regional DIT into Timbuktu or b) replicate a 15GB GC DIT into Timbuktu.
The connections in AD Sites & Services you shouldn't be tinkering with unless you have a good reason - stick to the site links and you'll generally be fine. You will see one connection object per domain minimum between a GC and upstream partners. If the upstream is a GC than one connection is sufficient.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, November 09, 2007 9:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
Hi Sakari,
You've perfectly pictured my current DCs config in the HUB sites.
After I've read Joe's, Brian's and your post, I wonder... what's the benefit
of having the IM on a non-GC (OPT2) instead of having all DCs as GCs (OPT1)?
(assuming of course bandwidth and hardware support allDCs=allGCs).
The only answer it comes to my mind is a "set&forget" configuration at the
HUB site that is seldom changed, rather than worrying about future DCs at
remote sites being always assigned the GC role (e.g. human carelessness: an
admin might forget to check the GC option!)
I've also noticed that a SpokeDC/GC at remote site needs 2 connection
objects if it replicates from a non-GC-DC at the hub site. So with OPT1 (Any
DC is a GC) the ADSites&Services layout would be even cleaner (1 connection
object only per remote DC), thus clearer when you need to troubleshoot
replication topology.
I would like to hear your opinion.
Regards.
Gabriele
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Sakari Kouti
> Sent: domenica 4 novembre 2007 20.58
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi Gabriele,
>
> Here is one suggestion for your setup. It may or may not be appropriate
> for you:
>
> ROOT DOMAIN
>
> I assume there are four DCs, two in EU HUB and two in US HUB. Make all
> four also GCs and you don't need to worry about the infrastructure
> master with this domain.
>
>
> US CHILD DOMAIN
>
> I assume that your two child domains are US and EU, although I could be
> wrong.
>
> If you don't go with Brian's option 1 and make all your DCs as GCs (if
> WAN permits), you need one non-GC to hold the IM role (as you know).
> This is best to have in the hub site of the corresponding continent.
> So:
> - DC1, US-dom, US-hub site: infrastructure master, non-GC
> - DC2, US-dom, US-hub site: GC
> - DC3, US-dom, EU-hub site: GC
> - DC4, US-dom, EU-hub site: GC
>
>
> EU CHILD DOMAIN
>
> This would be like the US child domain, but vice versa for EU.
>
> ----
>
> So, five out of the six DCs on each hub site would be GCs. This should
> not add any inter-site replication compared to the previous one-GC
> scenario, because all additional replication is intra-site. And this is
> even more true, because all your forest content already lives on both
> hub sites.
>
> If some of the GC-wannabes are too underpowered to hold the new larger
> AD database, then you obviously would not promote them, and get less
> that five GCs per hub site.
>
> Yours, Sakari
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> Sent: 4. marraskuuta 2007 2:55
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2 GCs in a site... a problem?
>
> Hi,
>
> We're running an HUB'n'SPOKE AD with 2 HUB sites (US and EU).
>
> Remote Sites that have more than 50 users and a properly secured server
> room
> have a local DC which is assigned with GC role, too.
>
> Then we have several small branch offices that do not have a local
> domain
> controller, so they authenticate over the WAN to the HUB site.
>
> Any site has connectivity to the HUB site within its continent (US
> sites
> to
> US HUB, EU sites to EU HUB, of course there's an HUB-to-HUB link over
> the
> ocean).
>
> At each HUB site we have 2 DCs for each domain (1 root + 2 childs) that
> provide:
> - authentication to small remote DC-less sites
> - backup-authentication to big remote sites that have a local DC
> temporarly
> not available
>
> As the GC is queried for authenticating users (Universal Group
> membership),
> because of what stated above, it becomes critical a GC being always
> available at each hub site.
>
> So my idea is to have at least two GCs at each HUB site (of course
> following
> these rules: http://support.microsoft.com/kb/223346/en-us), but reading
> some
> docs around, it is said that only a GC should be runned in a single
> site.
>
> Do you think I will get troubles putting 2 GCs in single site (HUB)?
>
> Thanks in advance.
>
> Regards,
> Gabriele
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|